APD/GBA (Belgium) - 81/2020: Difference between revisions

From GDPRhub
Line 110: Line 110:


<pre>
<pre>
1/45
1/45
'''Litigation Chamber'''
'''Litigation Chamber'''



Revision as of 08:07, 22 January 2021

APD/GBA - 81/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 14(1) GDPR
Article 14(2) GDPR
Article 15(1) GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.12.2020
Published:
Fine: 50000 EUR
Parties: Anonymous (Plaintive - physical person)
Anonymous (Defendant 1 - company specialized in controlling "street parking"
Anonymous (Defendant 2- bailiff's study)
National Case Number/Name: 81/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Belgian DPA (in FR)
Initial Contributor: Mathieu Desmet

The Belgian DPA (APD/GBA) held that two data controllers successively committed various breaches of the Article 5 GDPR principles (lawfulness, data minimisation, accountability, rights of information and access of the data subjects).

English Summary

Facts

A data subject made access requests with the private company ensuring the control of the respect of communal street parking regulations which had imposed him (or her) with a parking fine as well with the bailiff's study charged to insure that such fines are paid.

Dispute

To which extend should a data controller responsible for compliance with municipal regulations and a subsequent data controller to which personal data is transferred inform the data subject about the processing of his or her data as well as subsequent processing and justify the lawfulness and proportionality (data minimisation ) of the processing.

Holding

The Litigation Chamber of the Belgian DPA notes the following breaches in respect of the first defendant:

- a breach of its obligation to inform (article 14.1-2, combined with article 12.3 and 12.1.of the GDPR)

- a breach of its obligation to follow up on the exercise of the complainant's right of access within the legal period allotted to it to do so (Article 15.1 combined with Article 12.3. of GDPR as well as Article 12.2. of the GDPR (obligation to facilitate the exercise of rights)

- a breach of the principle of minimization during the premature consultation of the DIV (register concerning immatriculation of cars) - (article 5.1 c) of the GDPR.

- a breach of its obligation to put in place technical measures and adequate organizational requirements for the implementation of Articles 5.2 and 24. 1-2 of the GDPR.

As to the second defendant the Belgian DPA found that the following breaches were commited :

- a breach of its information obligation (article 14.1-2, combined with article 12.3. of GDPR) - a lack of legal basis with regard to the collection of data by way of the form accompanying the formal notice of payment (article 6 of the GDPR) and a breach of principle of data minimization (article 5.1 c) of the GDPR) given the excessive nature of requested data.

- a breach of Articles 5.2. and 24. 1-2 of the GDPR.

In consequence with the breaches mentionned above the first defendant was sanctionned (In accordance with the Belgian Law of 3 December 2017 establishing the Data Protection Authority) with a reprimand, an order to adopt necessary actions to comply with the GDPR and a 50.000 euro fine.

The second defendant was sanctionned with a reprimand, an order to adopt necessary action to comply with gdpr and a 15.000 euro fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/45
'''Litigation Chamber'''

Decision on the merits 81/2020of 23 December 2020
File No .: DOS-2019-02751

Subject: Decision relating to two data controllers intervening successively
noting various breaches of the GDPR principles (lawfulness, minimization,
accountability) and the rights of the people concerned (information, access, facilitation
Rights)

The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and Messrs J. Stassijns, C. Boeraeve, members, taking up the case in this
composition;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to
protection of individuals with regard to the processing of personal data and the
free movement of such data, and repealing Directive 95/46 / EC (general regulation on
data protection), hereinafter GDPR;
Considering the law of 3 December 2017 creating the Data Protection Authority (hereinafter LCA);
Having regard to the rules of procedure as approved by the House of Representatives on December 20
2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;

Took the following decision regarding:

The complainant: X
Decision on the merits 81 / 2020- 2/45

The first defendant: Y;
Having for advice, Masters Frédéric Dechamps and Nathan
Vanhelleputte, lawyers.

The second defendant: Z;
Advised by Maître S. Parsa, lawyer.
Hereinafter also referred to together as "the defendants";

1. Feedback from the procedure
Considering the complaint filed on May 15, 2019 by the complainant to the Data Protection Authority
(hereinafter APD);
Having regard to the decision taken by the Litigation Chamber during its session of July 12, 2019 to seize
the Inspector General on the basis of Articles 63, 2 ° and 94, 1 ° LCA and the latter's referral to this
same date;
Having regard to the Inspector General's report and investigation report sent on January 6, 2020 to the
Contentious chamber;
Having regard to the letters of January 21, 2020 and February 18, 2020 from the Litigation Chamber informing
parts of its decision to consider the case ready for substantive processing based on
Article 98 LCA and providing them with a timetable for the exchange of conclusions;
Having regard to the main conclusions of the second defendant filed by its counsel, received on March 12
2020;
Having regard to the conclusions of the complainant, received on March 27, 2020;
Having regard to the additional and summary conclusions of the first defendant filed by its counsel,
received on April 14, 2020;
Having regard to the additional and summary conclusions of the second defendant filed by its counsel,
received on April 14, 2020;
In view of the request made by the defendants in the terms of their pleadings to be heard by
the Litigation Chamber in application of article 51 of the internal regulations of the APD;
Decision on the merits 81 / 2020- 3/45
Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on June 16, 2020;
Considering the information sent on June 25, 2020 to the Inspector General regarding the holding of the hearing to date
of July 13, 2020 in application of article 48.2. the internal rules of the ODA;
Having regard to the hearing during the session of the Litigation Chamber of July 13, 2020 in the presence of the
plaintiff, [...], of the first defendant represented by one of its counsel, Maître Van
Helleputte as well as the second defendant represented by its counsel Maître S. Parsa;
Having regard to the minutes of the hearing and the observations made thereon by the respective counsel
the defendants who were attached to these minutes;
Having regard to the reaction form against a proposed administrative fine sent on the 18th
November 2020 to the first defendant. Under this form, the Litigation Chamber
informs him that he is considering a fine against him as well as the reasons for which the
breaches of the GDPR justify the amount of the fine;
Having regard to the reaction of the first defendant on December 9 to this form;
Having regard to the reaction form against a proposed administrative fine sent on the 18th
November 2020 to the second defendant. Under this form, the Litigation Chamber
communicates that it is considering a fine against it as well as the reasons for
breaches of the GDPR justify this fine amount;
Considering the reaction of December 10, 2020 of the second defendant to this form.

2. The facts

1. The first defendant is a company specializing in “street parking”.
It carries out parking control in the municipalities for which it is the concessionaire of the missions
of public interest. The first defendant employs [...] people. It is also part of the
Group [...].

2. The first defendant manages, under the municipal regulations of the City of [...], the
parkingof certain streets of this municipality.

3. The second defendant is an office of bailiffs located in [...] which deals, in
within the framework of its legal prerogatives defined in Article 519 of the Judicial Code, in particular of
amicable recovery and judicial recovery of debts from its clients. The first one
Decision on the merits 81 / 2020- 4/45
defendant is one of his clients. The firm is responsible for the management of
amicable collection, then, if necessary judicial, of unpaid debts such as royalties
parking.

4. On January 2, 2019, the complainant parked her vehicle in one of the streets of [...] whose
first defendant is responsible for the management of parking lots. The first defendant
states that the complainant was parked in a blue zone in which parking is limited to
thirty (30) minutes. In the absence of a blue disc affixed by the complainant to her windshield and
lack of a parking permit which it would have held, the first defendant indicates
have, in accordance with article [...] of the applicable municipal [...] regulations, placed an invitation to
pay [...] euros on the windshield of the complainant's vehicle. This amount corresponds to the amount
the “Tariff 1” charge of the municipal regulations. The complainant, for her part, denies having found
any invitation to pay on his windshield.

5. The first defendant indicates that it sent a payment reminder to the plaintiff on the 24th.
January 2019, reminder which increases the initial debt by five (5) euros in accordance with article [...] of
municipal regulation already cited. The complainant also denies ever having received such a reminder.

6. In the absence of payment received within 15 days of sending the said reminder of January 24, 2019, and
in accordance with article [...] of the applicable municipal regulations, the first defendant transmitted
the file to his bailiff, or to the second defendant, so that the latter takes charge
to recover the amount owed by the complainant.

7. On February 25, 2019, the complainant received a formal notice from the second
defendant in order to recover the amount due in application of article [...] of the municipal regulation
already cited. To the initial debt, as announced in the reminder letter of January 24, 2019 (point 5 above), there are additional costs in accordance with the Royal Decree of November 30, 1976 fixing the tariff for
acts performed by bailiffs in civil and commercial matters referred to in article
[...] of the municipal regulations. The complainant indicates that she received this formal notice on March 1
2019.

8. On March 3, 2019, the complainant wrote to the second respondent to receive explanations,
indicating that she never received a payment invitation or reminder. She also opposes payment
of the royalty. By the same letter, the complainant questioned the second respondent as to the
legal bases which allow it to access the Vehicle Registration Department (DIV) of
SPF Mobilité and the National Register. Also under the terms of this letter, the complainant exercises
also his right of access to his personal data as recognized by the GDPR (article 15
of the GDPR).

Decision on the merits 81 / 2020- 5/45

9. On the same date, the complainant addressed the same requests to the first respondent.

10. On March 4, 2019, the first defendant referred the complainant to the second defendant
in these words: "Arrange with the bailiff".

11. On March 29, in the absence of a response received from the second defendant, the complainant
wrote back to him noting that the legal deadline of one (1) month to respond to his request for access is on the
point to expire.

12. On April 2, 2019, the second defendant wrote to the complainant in response to her letter of 3
March (point 8 above) and provides it with a certain amount of information on the one hand on the data
which it processes in response to its request for access and information relating to the legal bases mobilized
as well as on the other hand, some information on the treatments operated by his client (the first
defendant). There followed an exchange of correspondence between the complainant and the study of the bailiffs of
justice (second defendant) under the terms of which photos - difficult to read according to the complainant - him
are communicated.

13. On April 8, 2019, the complainant asked the second respondent to communicate the
proof of sending the reminder letter of January 24, 2019 (point 5 above).

14. This also follows a request of April 29, 2019 from the complainant to the first respondent
to receive proof of the sending of this reminder letter of January 24, 2019. In response,
the first respondent provides a copy of the reminder letter and refers the complainant to
bailiffs for the rest.

15. On May 15, 2019, the complainant filed a complaint with the DPA against both the first
defendant that of the second ddefendant. The complainant will bring an addendum to her complaint in
date of June 6, 2019.

16. The complainant also made a request for access to the DIV. From the response received by
the complainant on May 17, 2019, it appears that the first respondent consulted the data of the
complainant on January 3, 2019 at 10:03 p.m., i.e. the day after the finding (from January 2, 2019 - see
point 4 above) of the infringement of the parking rules complained of.

17. In June 2019, the complainant wrote again to both the first and the second respondent
for details of the alleged offense.
Decision on the merits 81 / 2020- 6/45

18. On July 11, 2019, the second respondent responded to the complainant's request for clarification
by indicating that he is accused of not having affixed a valid parking ticket
on his windshield. The first defendant criticizes the complainant for having failed
to affix the required parking disc in the blue zone.
3. The subject of the complaint lodged by the complainant

19. Pursuant to her complaint, the complainant requests that her complaint against the first and
of the second defendants be declared admissible and well founded and that consequently, the
defendants are ordered to comply with the GDPR and Belgian laws, within the
that the Contentious Chamber will consider reasonable, under penalty of penalty.

20. In this regard, the complainant considers that the defendants are guilty:
As to the first defendant:
- a breach of his right to information (Articles 12 and 14 of the GDPR)
- a breach of his right of access (article 15 of the GDPR)
- a breach of Article 28 of the GDPR with regard to the quality of subcontractor of the second
defendant
- a breach of Article 5 of the GDPR (respect for the principle of necessity with regard to the
consultation of the DIV)
- a breach of the principles of proportionality and illegal reuse of data
(Articles 5 and 6 of the GDPR) with regard to the communication of his data at the second
defendant
- a breach of the principle of minimization (article 5 of the GDPR) with regard to the taking of
photograph of his vehicle when the violation of the rules of
parking
As for the second defendant
- a breach of his right to information (Articles 12 and 14 of the GDPR)
- a breach of his right of access (article 15 of the GDPR)
- a breach of Article 28 of the GDPR with regard to its status as a processor
- a breach of the principles of proportionality and illegal reuse of data
(Articles 5 and 6 of the RGPD) which are communicated to him by the first defendant then even
that it would not be validly founded
- a breach of the principles of data minimization and the use of consent
forced (Articles 5 and 6 of the GDPR) with regard to the form attached to the payment notice.
Decision on the merits 81 / 2020- 7/45

21. The complainant also requests that the defendants be sentenced to a sanction
proportionate to the seriousness of the facts, taking into account the object and scope of their activity
professional activity that affects a large number of citizens.

22. Finally, the complainant seeks the condemnation of the defendants to non-anonymized advertising
of the decision of the Litigation Chamber in order to inform the public of illegal practices in
management of parking fees against which they can claim the
respect for their data protection rights.
4. The inspection report of January 6, 2020

23. According to his report, the Inspector General made the following observations:

24. Finding 1: It does not emerge from the information in the file and the responses provided by the
first defendant that the lawfulness of the processing operations carried out by the first and second
defendants in order to recover the regulatory parking debt
communal can be questioned.

25. Finding 2: The information provided to the persons concerned on the site of the
first defendant is incomplete.
The privacy statement appearing on the site of the first defendant [...] does indeed concern
not the personal data that it processes during the monitoring, sending of the reminder and
transmission of the file to the bailiff (second defendant). The contact details of
the privacy officer of the first defendant in charge of processing requests
rights of access for data subjects are not mentioned in this declaration. The
the first defendant therefore does not fulfill its obligation to provide information
easily accessible, in particular by electronic means to the persons concerned, prescribed
section 12.1. of the GDPR.

26. Finding 3: The complainant's right of access to data concerning her processed by the
first defendant was not complied with, in contravention of Article 15 of the GDPR.
Pour only response to her request for access, the complainant was in fact twice referred to
the bailiff [read the second defendant] and a copy of the payment reminder she
disputed having received was provided to him. In this regard, it appears that there is no procedure in place
so that the customer service of the first defendant in charge of complaints can send the
requests relating to the exercise of the rights of the data subject to the life protection officer
deprived of the first defendant.
Decision on the merits 81 / 2020- 8/45

27. Finding 4: Access to the DIV by the first defendant was made the next day
control of the complainant's vehicle. Personal data concerning him
(surname, first name and address) were processed unnecessarily in the period during which the
data subject has the option of paying the fee before sending a reminder to their
name and address, which does not comply with the principle of data minimization provided
in article 5.c [read article 5.1 c)] of the GDPR. According to article [...] of the royalty by-law of the City of
[...] from [……… ..], this period is 10 days. The first defendant argues that in this case
a technical error was encountered in the automated access to the DIV. She joins an exchange of mails
of 14 and 22 November 2019 with its supplier from whom it appears that the data of the DIV are
then received after 48 hours for all of its sites.

28. The Litigation Chamber notes that in the context of its investigation, the response letters
to the questions put to the second defendant by the Inspector General are signed by the group [...].
5. The hearing of July 13, 2020
29. From the hearing of July 13, 2020 - of which a record has been drawn up - are, in addition to the arguments
developed in terms of conclusions, the following elements emerged:
- the status of data controller for each of the defendants;
- the modifications decided by the first defendant to the procedure put in place with the
second defendant for the exercise of data protection rights of
people concerned and more particularly, the decision to keep internal management
requests for the exercise of their rights by data subjects;
- the work of compliance with the GDPR carried out by the judicial officers from the 25th
May 2018, in particular the adoption of a detailed privacy policy available on its website;
- the appointment of a data protection officer (DPO) by both the first and the
second defendants;
- the request for publication of the decision of the Contentious Chamber in a form
anonymized formulated by both the first and the second defendants, in particular
by the image of the function of bailiff (second defendant) as well as the fear of
see, given the number of people whose personal data is processed by
both defendants and the number of complaints against them.
- confirmation that the first defendant is part of the group [...].

PLACE

6. Structure of the decision
Decision on the merits 81 / 2020- 9/45

30. By way of introductory remarks, the Litigation Chamber will formulate a number of
details as to its jurisdiction (7.1.), as to the reference error of the basis of legality of the
treatment spontaneously noted by the first defendant (7.2.) as well as with regard to the quality of
the first and second defendants with regard to the data processing concerned (7.3.).
These clarifications are a prerequisite for consistency and a good understanding of what follows.
of this decision.

31. Then, in Title 8, the Contentious Chamber will successively examine the breaches
which may be retained at the expense of the first defendant on the one hand (Title 8.1.) and at the expense of the
second defendant on the other hand (Title 8.2).

32. Finally, in Title 9, the Contentious Chamber will motivate the corrective measures and sanctions
that it decides to impose on the first defendant on the one hand (Title 9.1.) and on the second defendant
on the other hand (section 9.2.).
7. Introductory remarks
7.1. As for the sovereign appreciation of the Litigation Chamber notwithstanding the findings of the
inspection report and the terms of the complaint

33. On several occasions in its submissions, the second defendant points out that
given that the inspection report did not find any breach in its regard, no
breach could not be held against him by the Litigation Chamber.

34. The Contentious Chamber recalls in this regard that recourse to the Inspection is not
systematically required by the LCA. Indeed, it is for the Litigation Chamber to determine at the
following the filing of a complaint, whether an investigation by the Inspectorate is necessary or not (article 63, 2 ° LCA
- art. 94, 1 ° LCA). The Litigation Chamber may also decide to deal with the complaint without having
referred to the inspection service (art. 94, 3 ° LCA).

35. When seized, the findings of the Inspection certainly enlighten the Chamber
Litigation on the facts of the complaint, on the qualification of these facts with regard to the
data protection regulations and can support one or the other
breach ultimately retained by the Litigation Chamber under the terms of its decisions. However, the
Litigation Chamber remains free, in support of all the documents produced during the procedure
and the arguments developed in the context of the adversarial debate that follows his decision to deal with
the case on the merits (Article 98 LCA) - if necessary after recourse to the Inspectorate -, to conclude
reasoned for the existence of shortcomings that the inspection report did not indicate.
Decision on the merits 81 / 2020- 10/45

36. As for the terms of the complaint, they constitute both for the Inspectorate and for the Chamber
Litigation a starting point. The Litigation Chamber recalls that on several occasions it
ruled that during the procedure following the complaint, it has the possibility of changing the
legal qualification of the facts submitted to it, or to examine new facts related to the complaint,
without necessarily calling on the intervention of the Inspection, in particular by asking questions
to the parties or taking into account new facts or qualifications invoked by way of
conclusion, and this, within the limits of the adversarial debate, namely, provided that the parties have
had the opportunity to discuss these facts or legal qualifications in a manner consistent with the rights of
defense1
.
7.2. As to the basis of legality

37. According to its conclusions, the first defendant specifies that it must correct
a mistake. It specifies that the municipal regulations of [...] on which the lawfulness of the
treatment and whose legitimacy is recognized through the investigation report applies in the case of
parking fees in the event of non-payment via a parking meter.

38. In the present case, the first defendant observes that the fee due by the complainant is due
due to the lack of an affixed blue disc. It is therefore the municipal regulation of [...] relating to
parking in the blue zone which must apply.

39. The first defendant states that, however, since the two municipal regulations
are drafted identically - at least as regards the relevant articles in the
context of this dispute - it is simply necessary to adapt the references made.

40. In her conclusions, the complainant raises the fact that the municipal regulation of the [...] invoked
this time by the second defendant at the bottom of the formal notice she sent him on February 25
2019 (point 7 above) expired on [...], i.e. before the said formal notice was sent and
before the date of the alleged offense (January 2, 2019). It immediately concludes that there is no legality
processing. In its pleadings and in its file of exhibits, the second defendant relies,
contrary to the reference appearing at the bottom of said formal notice, on the municipal regulations
the [...] relating to parking in the blue zone.

1 Voy Litigation Chamber, Decisions 17/2020 (points 26 to 33)
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-17-2020.pdf; 41/2020 (point
12 and points 14-15) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-41-
2020.pdf and 63/2020 (points 16 to 22): https://www.autoriteprotectiondonnees.be/publications/decision-quantau-fond-n-63-2020.pdf available on the APD website.
Decision on the merits 81 / 2020- 11/45

41. The Contentious Chamber concludes from the foregoing that the defendants agree to
consider that the basis of lawfulness of their processing finds, at least in part, its source in
the municipal [...] regulations relating to parking in the blue zone.

42. The Contentious Chamber can, however, only note a great confusion around
identifying this basis of lawfulness. However, this element is now part of the elements
of information listed in Articles 13.1 c) and 14.1 c) of the GDPR which should be informed
concerned (see below). Likewise, without being compulsory, this information may also appear
in the Register of processing activities which must be regularly updated (Art. 30 GDPR).
Errors such as the one made by the defendants could perhaps be thus
avoided2
.
43. In the present case, the Contentious Chamber is of the opinion that the error in the identification and
communication of the basis of legality is not synonymous with the absence of a basis of legality within the meaning of
Article 6 of the GDPR. As for the information obligation - in particular the basis of lawfulness (Articles 13.1
c) and 14.1 c) of the GDPR) - and, more generally, as regards the effective implementation of Article 24 of
GDPR in this regard, the Litigation Chamber refers to points 8.1.1 and 8.1.4. below.
7.3. As to the qualification of the first and second defendants

44. The complainant notes that the first respondent states that it has put in place a procedure
management of complaints with the second defendant. According to the latter, the second defendant
manages all claims or complaints from the moment the file relating to them has been received
transmitted and is responsible for collecting the amount due. The complainant considers that "if we have to
understand that the second defendant acts as a subcontractor of the first
defendant ", the requirements of Article 28 of the GDPR must apply and therefore the defendants
must be able to demonstrate their effective application.

45. The Contentious Chamber has, at the end of the hearing of July 13, 2020 (title 5 above),
note that both the first respondent and the second respondent qualify as
data controller each for the processing operations they perform and for which they determine
respectively the purposes and the means.

2 See. Commission for the Protection of Privacy, Recommendation 06/2017 of 14 June 2017 relating to the Register
processing activities (Article 30). See. point 42 of the recommendation
https://www.autoriteprotectiondonnees.be/publications/recommandation-n-06-2017.pdf
Decision on the merits 81 / 2020- 12/45

46. ​​Regardless of the qualification given to themselves by the parties, which is not binding3
, The
Litigation Chamber is of opinion, on the basis of the description given by the defendants of the
collaboration between them, that each of them is responsible for processing. Their
interventions in the context of amicable debt collection follow one another in this capacity. The
Litigation Chamber notes in this regard that this collaboration is based, according to the
defendants, on the sole basis of the municipal regulations, with the exception of any other document
supporting their collaboration.

47. The Contentious Chamber also rejects any qualification of co-responsible for
processing within the meaning of Article 26 of the GDPR between the defendants. Indeed, the co-responsibility
requires a joint determination of both the purposes and the means of the identified processing, this
which is not the case in this case.4 Each of the defendants successively carries out

3 European Data Protection Board (EDPS), Guidelines 07/2020 on the concepts of controller and
processor in the GDPR, version 1.0. of September 2, 2020. These guidelines currently exist only in
English. They have been submitted for public consultation and are subject to change
https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf
4
Idem above points 50-55 in particular and the references cited:

50. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in
the determination of the purposes and means of a processing operation. Joint participation can take the form of
a common decision taken by two or more entities or result from converging decisions by two or more entities,
where the decisions complement each other and are necessary for the processing to take place in such a manner
that they have a tangible impact on the determination of the purposes and means of the processing. Important year
criterion is that the processing would not be possible without both parties ’participation in the sense that the
processing by each party is inseparable, i.e. inextricably linked. The joint participation needs to include the
determination of purposes on the one hand and the determination of means on the other hand. (…)

55. It is also important to underline, as clarified by the CJEU, that an entity will be considered as joint controller
with the other (s) only in respect of those operations for which it determines, jointly with others, the means and
the purposes of the processing. If one of these entities decides alone the purposes and means of operations that
precede or are subsequent in the chain of processing, this entity must be considered as the sole controller of this
preceding or subsequent operation.
Free translation by the ODA Secretariat
50. The overall criterion determining the presence of joint responsibility for the processing is participation
joint venture of two or more entities in determining the purposes and means of a processing operation.
Joint participation may take the form of a joint decision taken by two or more entities, or
result from convergent decisions from two or more entities, when these decisions complement each other
mutually and are necessary for carrying out the processing operation in such a way that they have a
impact your ngible on determining the purposes and means of processing. An important criterion is that the
processing would not be possible without the participation of both parties, in the sense that processing by each
part is inseparable, that is to say that these treatments are inextricably linked. Joint participation must
include the determination of purposes, on the one hand, and the determination of the means, on the other.

55. It is also important to stress, as clarified by the CJEU, that an entity will not be considered
as joint controller, with one or more other entities, only with regard to operations for
which it determines, together with the other entities, the purposes and means of processing. If one
of these entities alone decides on the purposes and means of previous or subsequent operations in the chain
processing, this entity must be considered as the sole controller of this operation
anterior or posterior.


48. The Contentious Chamber nonetheless shares the impression of confusion and the lack of
clarity with regard to the persons concerned relayed by the complainant. This is particularly evident in the
response provided by the second defendant to a request to exercise his rights in matters of
data protection sent by the complainant to the first respondent (points 10 and
14 above and 75 below).

49. Nevertheless, the second defendant is neither the subcontractor of the first defendant, nor
joint responsible with her. Therefore, their relationship should not be governed by a subcontract and no breach of Article 28 of the GDPR can be blamed. Their relationship does
should not be framed by an agreement between them as required by Article 26 of the GDPR in
joint liability cases.
8. As to breaches
8.1. As regards the breaches on the part of the first defendant
8.1.1. As for the breach of the information obligation (Articles 12 and 14 of the GDPR)

50. In its capacity as controller, the first defendant is required to
implement Articles 12, 13 and 14 of the GDPR and to be able to demonstrate this effective implementation
(Articles 5.2. and 24 of the GDPR).

51. Pursuant to Article 12.1 of the GDPR, it is the first defendant's responsibility to take
appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR in a manner
concise, transparent, understandable and easily accessible in clear and simple terms.
in writing or by other means including electronic.

52. In the present case, as regards data which were not collected directly from the
complainant, the first defendant was required to provide her with information with regard to
Decision on the merits 81 / 2020- 14/45 data processing carried out concerning it in the context of the collection of the fee due.
As for the content of this information, in accordance with the case law of the Litigation Chamber,
the elements listed in both § 1 and § 2 of Article 14 had to be communicated to it. 5 The Chamber
Litigation has already specified above that these elements include the exact identification of the
lawfulness of the processing (Article 14.1 c) of the GDPR) (point 42 above).

53. The Litigation Chamber is of the opinion that in light of the amount of information to be provided to
data subject, controllers such as defendants should adopt a
multi-level approach. On the one hand, the person concerned must immediately have a
clear, accessible information on the fact that information on the processing of their data
personal character (privacy policy) exist and where it can be found in
their entirety.

54. On the other hand, without prejudice to the accessibility of the privacy policy in its
completeness, the data subject must, from the first communication from the controller
with them, to be informed of the details of the purpose of the processing concerned, of the identity of the controller
the processing and the rights available to it. The importance of providing this information upstream
follows in particular from recital 39 of the GDPR. Any additional information needed to
allow the persone concerned to understand, from the information provided to this first
level, what the consequences of the treatment in question will have to be added 6
.
55. According to his inspection report of 6 January 2020, the Inspector General, as well as
been recalled in Title 3, notes, with regard to the confidentiality policy, that:
"The privacy statement appearing on the site of the first defendant [...] does not concern
indeed not the personal data that it processes during the control, the sending
the reminder and the transmission of the file to the bailiff (second defendant). The
contact details of the first defendant's privacy officer in charge
to process requests for the right of access from data subjects are not mentioned
in this statement. The first defendant therefore does not fulfill its obligation to
provide easily accessible information, particularly electronically, to individuals
concerned, prescribed in Article 12.1. of the GDPR ”.

5 Article 29 Group, Guidelines on transparency within the meaning of Regulation (EU) 2016/679, WP 260,
revised version of April 11, 2018 (taken over by the European Data Protection Board):
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 (point 23).
6
Idem (points 35-38).
Decision on the merits 81 / 2020- 15/45

56. In other words, the first defendant's privacy policy does not cover
data processing questioned by the complainant. Indeed, the Inspector General details in
its report that the confidentiality policy available on the site of the first defendant during
of its consultation, concerned exclusively the way in which the data processing "that you
send us through the site and / or otherwise "was carried out (step 5 of the report
inspection).

57. The Litigation Chamber further notes that the first reminder letter sent by
the first defendant to the complainant on 24 January 2019 (point 5 above) contains the clause
next :
PRIVACY
Your personal data in our possession will only be processed within the framework of
of this reminder and, where applicable, of future exchanges between you and our services at
About the payment of the fee concerned. These data will only be kept for
the duration corresponding to this regulation. In accordance with Regulation (EU) 2016/679 of
European Parliament and of the Council of 27 April 2016 on data protection at
personal nature and the free movement of such data, and repealing Directive 95/46 / EC
(general data protection regulation), you can freely exercise your rights
and questions by sending a request to [...] or by email [...]. The protection officer
privacy will contact you to confirm your identity and take the necessary action
to respond to your request.

58. The said letter also mentions the website of the first defendant without
however, reference to the privacy policy in general and a fortiori to the relevant provisions
with regard to the reminder sent (as far as as mentioned above this privacy policy
does not cover this type of treatment). The Contentious Chamber is of the opinion that this clause cannot
to fill in the lack of information on the elements of §§ 1 and 2 of Article 14 of the GDPR (therefore
that as already mentioned, the privacy policy of the first defendant does not cover
the treatments in question).

59. As to the failure to mention the contact details of the privacy protection officer
generally also noted by the investigation report, the Litigation Chamber is of the opinion
that the communication of contact details of the DPO or any other contact address dedicated to the exercise
the rights of data subjects is part of the obligation of data controllers
facilitate the exercise of the rights of data subjects (article 12.2. of the GDPR) 7
.

7 During the hearing on July 13, 2020, the first defendant clarified that its protection officer
privacy is in fact a Data Protection Officer (DPO) within the meaning of Article 37 of the GDPR.
Decision on the merits 81 / 2020- 16/45

60. According to its submissions, the First Respondent states that it "can only
take note of the conclusion of the investigation report which states that "the information provided to
data subjects on the website of [...] is incomplete ”. It also indicates that it takes note that
the Inspector considers that the information "is not easily accessible" to the persons concerned
(point 41 of the conclusions of the first defendant) and makes a number of commitments
vis-à-vis ODA to remedy this (see below under section 9.1. relating to the discussion on the measures
corrective measures and sanctions).

61. When at the time of information, Article 14.3 of the GDPR specifies that the elements listed in
§§ 1 and 2 must be provided within a reasonable time after having been obtained but at the latest
within the month of this obtaining in view of the particular circumstances in which the data
of a personal nature are processed.

62. In the present case, the Complainant and the First Respondent disagree on the issue of
whether this information was provided in a timely manner. The first defendant indeed maintains
that information can be found on the invitation to pay sent to the complainant as well as in her
reminder letter (points 4 and 5 above). The complainant claims that she never received a butterfly or
reminder letter and notes the absence of proof of the communication of these documents - and therefore of
data protection information - by the first defendant. The first one
the defendant also refers to the information provided on its website, while
admitting that this is incomplete (point 60 above).

63. It is not for the Contentious Chamber to determine how the breach
parking rules must be brought to the attention of offenders (flyer, reminder by
regular mail, by registered mail). The fact remains that information on
data processing which takes place both within the framework of the finding of the violation and of the management
recovery of the amount resulting from this, must be communicated within the deadline
prescribed in Article 12.3 of the GDPR in a useful manner (taking into account, for example, the deadline for
payment given), or, depending on the context, without waiting for the expiry of the said deadline.

64. In support of the foregoing findings and the information obligation that weighs on the first
defendant, the Litigation Chamber finds a breach of Article 14.1-2 of the GDPR therefore
that the privacy policy of the first defendant does not cover the processing of
data processed in this case (amicable debt collection). The "Privacy" clause appearing on its
reminder mail, insufficient in content, is not likely to remedy this. This failure
is also combined with Article 12.3 of the GDPR. The Litigation Chamber is of the opinion that
if the information is not given or is incomplete, a fortiori it was not provided within the time limit
Decision on the merits 81 / 2020- 17/45
required. Finally, these breaches are combined with a breach of Article 12.1 of the GDPR (default
accessibility of the DPO's contact details in the privacy policy).
8.1.2. As for the breach of the right of access (article 15 of the GDPR)

65. According to Article 15 of the GDPR, the data subject has the right to obtain from the controller
of processing the confirmation that personal data concerning him are or are not
not processed and, when they are, access to said personal data as well as
information items listed in letters a) to h) of Article 15.1. of the GDPR.

66. In the present case, according to the terms of his report, the Inspector General finds in this regard
next :
"Ms. X's right of access (read the complainant) to data concerning her processed by
[...] (read the first defendant) was not respected, in contravention of article 15
of the GDPR.
The only response to her request for access was Ms. X (read the complainant) was in fact
twice referred to the bailiff (read the second defendant) and a copy
of the payment reminder she disputed having received was provided to her. In this regard, it appears
that there is no procedure in place for customer service [...] (read the first
defendant) in charge of complaints send requests relating to the exercise of
rights of the data subject to the privacy officer of [...] (read the
first defendant) ”.

67. According to its submissions, the first defendant describes that, having regard to the nature of
its activities, it faces a significant number of complaints and complaints. In practice, there
described (and confirmed during the hearing on July 13, 2020) that as soon as it is found that the offender
has not paid his fee within the required time, the case is transferred to the second defendant who
is responsible for collecting the amount due. The first defendant specifies that any request
carried out after the file has been transmitted to the bailiff must be processed
directly with the bailiff to prevent contradictory information from being transmitted
to the complainant. What she describes as being a procedure organized with the second defendant
However, apart from the municipal regulations to which the defendants both refer
during the hearing, not framed by a precise and detailed written procedure between them (point t 46 above).

68. As for the management of requests to exercise their rights in terms of the protection of
data by the data subjects, the first defendant states that their separate management of
that of complaints management described in point 67 above, requires that an email be sent to a
e-mail address dedicated to this type of request, ie the address [...].
Decision on the merits 81 / 2020- 18/45

69. The first respondent notes in this regard that the complainant did not correspond with her
via this specific email. The complainant therefore (paragraph 67 above), for only answer, was
referred to the second defendant as in the case of a non-application related complaint
of the rights of data subjects in terms of data protection: "Please contact
to the bailiff "; and this since his request was subsequent to the communication of the file to the
second defendant.

70. As the Inspector General notes in his report, the Litigation Chamber notes
that while the complainant's request raised data protection issues, there is no
no internal referral to the first defendant's data protection officer. This
way of proceeding appears contrary to the "Privacy" clause appearing on the formal notice of the
first defendant which indicates that for the exercise of their rights in matters of protection
data, debtors are invited to contact the first defendant (first contact
"Natural" after all), which suggests that it is indeed the first defendant who
will examine their request (point 57 above).

71. The second respondent, on behalf of the first respondent, replied to the complainant by
letter of April 2, 2019, or according to the first defendant, within the one month period required by article
12.3. of the GDPR. According to this letter, the second defendant provides it with a certain number
information on the processing carried out by the first defendant.8 It also attaches the
photographs (point 12) and the reminder letter of January 24, 2019.

72. Moreover, in the same letter, the second defendant also communicates to the
complainant of the elements relating to the request for access addressed to her directly regarding her
own processing (see point 8.2.2 below).

73. The Litigation Chamber is of the opinion that the establishment of internal procedures and
standards dedicated to the exercise of the rights of data subjects in terms of the protection of
data is essential and likely to contribute to the effective application of these rights. It facilitates
certainly their exercise as required by Article 12.2. of the GDPR. In a structure such as
first defendant, given the volume of data processed, the Litigation Chamber considers it

8 Extract from the letter of April 2 from the second defendant: “As for our client, he is mandated by the city of
[...] to operate the recovery of unpaid parking fees. It is registered with the
Commission for the Protection of Privacy and, to this end, has received the attached document authorizing him to receive
IVD data for the sole purpose of collecting unpaid royalties. As part of its mandate, our
customer obtains name, first name and address in order to send a reminder letter. Subsequently if the file is not
paid, it is sent to the study as provided for by municipal regulations. According to him, this data is deleted
upon receipt of payment ”.
Decision on the merits 81 / 2020- 19/45
essential. However, the persons concerned cannot be criticized for using another channel
communication to address their requests. No adverse consequences for the person
concerned cannot be drawn from the fact - even in the hypothesis that it would have been correctly
informed - that they have not used the correct form or have contacted the person in charge of
processing by another means, via an incorrect e-mail address for example. Abundantly, the
Litigation Chamber is of the opinion that in this case, the distinction between "complaint" and "exercise of a right
access to his data "in the context of a request for payment of a
parking is not easy to operate for any citizen.

74. The Contentious Chamber therefore notes that in any event, the first defendant does not
could hide behind the "error" that she invokes on the part of the complainant to consider
that she herself would have been exempted from her obligation to respond to the request to exercise the right
access of the complainant.

75. In the present case, each of the defendants being a separate person responsible (and not
jointly responsible as it has already been explained in section 7.3. above), it is their responsibility to give
following the exercise of the rights of data subjects with regard to the processing operations they carry out
each respectively. The Litigation Chamber ne can exclude that in fact, without being nor
subcontractors or joint managers, controllers agree among themselves that
one responds to the request to exercise the rights of data subjects on behalf of the other who
mandate to do so. If this were to be the case, the procedure put in place should be perfectly
clear and understandable for the persons concerned who must have been informed. Indeed,
this way of proceeding is very likely to lead to confusion about the role of each. In
in this case, this led the Complainant to believe that the Second Respondent was the subcontractor of
the first defendant. In this case, the first point of contact for the debtor of the royalty is, eu
having regard to the facts and in the absence of other clear information, naturally the first defendant. The
Contentious Chamber notes in this regard that the first defendant indicated to the Chamber
Litigation now favor a reorganization of procedures which would retain internal
management of complaints relating to the data processing it operates.

76. Nor can the first defendant consider that since the second
defendant replied to the complainant on April 2, 2019, she herself would have been exempted from doing so
except to consider that the second defendant, mandated by the first, would have responded in a manner
complete, transparent and in accordance with Article 15 of the GDPR with regard to the processing operations carried out by the
first defendant, which is not the case. The second defendant admittedly provides some
number of elements but these do not completely meet the requirements of the article
15.1 of the GDPR.
Decision on the merits 81 / 2020- 20/45

77. The Contentious Chamber notes overwhelmingly that the first defendant does not dispute
not his lack of response, a fortiori within the time limit required by Article 12.3. of the GDPR.

78. The Contentious Chamber concludes from the foregoing that the first respondent did not
right to the complainant's request for access in a satisfactory manner and that there was a breach in
its head in Article 15.1 of the GDPR, combined, a fortiori, in Article 12.3. of the GDPR. The first one
the defendant also failed to fulfill its obligation to facilitate the exercise of the rights of
data subjects required by Article 12.2. of the GDPR.
8.1.3. As for the breach of the principle of minimization (article 5.1 c) of the GDPR)
8.1.3.1. In view of the consultation of the DIV

79. The complainant accuses the first respondent of having consulted the DIV in such a way
premature on January 3, 2019, that is, before the expiry of the period given to him to fulfill
spontaneously of the amount of the royalty claimed. According to her, this consultation therefore took place
in violation of the principle of minimization according to which "personal data
must be: c) adequate, relevant and limited to what is necessary for the purposes for
which they are processed (data minimization) ”(article 5.1 c) of the GDPR).

80. According to his report, the Inspector General concludes in this regard that "data to
personal character of the [complainant] concerning (name, first name and address) were treated without
necessity in the period during which the data subject has the opportunity to pay the
fee before sending a reminder sent to his name and address, which is not compliant
with the principle of data minimization provided for in Article 5.c [see Article 5.1 c)] of the GDPR. next
the article [...] of the By-law of the City of [...] parking ticket machines 2019, this
delay is 10 days ”.

81. The first defendant does not dispute that this consultation of the DIV took place on 3
January 2019 at 10:03 p.m., i.e. the day after the complainant's parking violation on January 2
2019. She explains that as soon as she was informed of what she called "an error", she
immediately requested an adaptation of the system to take into account the deadlines
imposed by the various municipal regulations and thus put an end to this practice of consultation
immediate DIV. The first defendant further adds that when it made this request
to his IT service provider, the latter informed him that the system had been corrected as soon as
August 26, 2019.

82. The Litigation Chamber recalls that access to the DIV is strictly regulated taking into account
the sensitivity of this database and that only authorized bodies are authorized to
Decision on the merits 81 / 2020- 21/45
to access. It was up to the first defendant to organize this access in accordance with the principles
of data protection by design and by default (article 25 of the GDPR) in order to
effectively implement the principle of data minimization.

83. The Contentious Chamber can only note, in support of the documents produced in e can exclude that in fact, without being nor
subcontractors or joint managers, controllers agree among themselves that
one responds to the request to exercise the rights of data subjects on behalf of the other who
mandate to do so. If this were to be the case, the procedure put in place should be perfectly
clear and understandable for the persons concerned who must have been informed. Indeed,
this way of proceeding is very likely to lead to confusion about the role of each. In
in this case, this led the Complainant to believe that the Second Respondent was the subcontractor of
the first defendant. In this case, the first point of contact for the debtor of the royalty is, eu
having regard to the facts and in the absence of other clear information, naturally the first defendant. The
Contentious Chamber notes in this regard that the first defendant indicated to the Chamber
Litigation now favor a reorganization of procedures which would retain internal
management of complaints relating to the data processing it operates.
76. Nor can the first defendant consider that since the second
defendant replied to the complainant on April 2, 2019, she herself would have been exempted from doing so
except to consider that the second defendant, mandated by the first, would have responded in a manner
complete, transparent and in accordance with Article 15 of the GDPR with regard to the processing operations carried out by the
first defendant, which is not the case. The second defendant admittedly provides some
number of elements but these do not completely meet the requirements of the article
15.1 of the GDPR.
Decision on the merits 81 / 2020- 20/45
77. The Contentious Chamber notes overwhelmingly that the first defendant does not dispute
not his lack of response, a fortiori within the time limit required by Article 12.3. of the GDPR.
78. The Contentious Chamber concludes from the foregoing that the first respondent did not
right to the complainant's request for access in a satisfactory manner and that there was a breach in
its head in Article 15.1 of the GDPR, combined, a fortiori, in Article 12.3. of the GDPR. The first one
the defendant also failed to fulfill its obligation to facilitate the exercise of the rights of
data subjects required by Article 12.2. of the GDPR.
8.1.3. As for the breach of the principle of minimization (article 5.1 c) of the GDPR)
8.1.3.1. In view of the consultation of the DIV
79. The complainant accuses the first respondent of having consulted the DIV in such a way
premature on January 3, 2019, that is, before the expiry of the period given to him to fulfill
spontaneously of the amount of the royalty claimed. According to her, this consultation therefore took place
in violation of the principle of minimization according to which "personal data
must be: c) adequate, relevant and limited to what is necessary for the purposes for
which they are processed (data minimization) ”(article 5.1 c) of the GDPR).
80. According to his report, the Inspector General concludes in this regard that "data to
personal character of the [complainant] concerning (name, first name and address) were treated without
necessity in the period during which the data subject has the opportunity to pay the
fee before sending a reminder sent to his name and address, which is not compliant
with the principle of data minimization provided for in Article 5.c [see Article 5.1 c)] of the GDPR. next
the article [...] of the By-law of the City of [...] parking ticket machines 2019, this
delay is 10 days ”.

81. The first defendant does not dispute that this consultation of the DIV took place on 3
January 2019 at 10:03 p.m., i.e. the day after the complainant's parking violation on January 2
2019. She explains that as soon as she was informed of what she called "an error", she
immediately requested an adaptation of the system to take into account the deadlines
imposed by the various municipal regulations and thus put an end to this practice of consultation
immediate DIV. The first defendant further adds that when it made this request
to his IT service provider, the latter informed him that the system had been corrected as soon as
August 26, 2019.
82. The Litigation Chamber recalls that access to the DIV is strictly regulated taking into account
the sensitivity of this database and that only authorized bodies are authorized to
Decision on the merits 81 / 2020- 21/45
to access. It was up to the first defendant to organize this access in accordance with the principles
of data protection by design and by default (article 25 of the GDPR) in order to
effectively implement the principle of data minimization.
83. The Contentious Chamber can only note, in support of the documents produced in s the file
and the Inspector General's finding that there was a breach of the minimization principle provided for in
Article 5.1 c) of the GDPR in respect of the first defendant.
8.1.3.2. In view of the communication of the complainant's data to the second defendant

84. As regards the transfer of the complainant's data by the first respondent to the
second defendant, the Litigation Chamber insists that this communication not take place
only when necessary otherwise it would violate the principle of minimization. So,
the data subject should be allowed the time allotted to him to pay the fee
before entering the bailiff. The second defendant is indeed justified in intervening and
therefore to be provided with the data of debtors such as the complainant, that in default of payment in
the time limit provided for by the municipal implementing regulations.
8.1.3.3. In view of the taking of photographs and their conservation for the purpose of establishing
the offense

85. According to its conclusions, the complainant also criticizes the first respondent
to process (including keeping) a certain number of personal data
concerning in violation of the principle of minimization and this, for the purposes of establishing the lack of
payment of the royalty due. Thus, the complainant considers, for example, that the photographs of her
vehicle (including their professional card on the passenger compartment, the name of their garage)
do not provide any element likely to specify the offense with which it is charged and are therefore without
relevance. The same goes for the photograph of her license plate which she is wondering about
on the necessity of the treatment (including conservation).

86. The first defendant indicates in the terms of its conclusions that its agents collect
such data as part of the establishment of the offense. It must, in accordance with Article 870
of the Judicial Code and taking into account the case law of the courts and tribunals, provide evidence
of the offense it alleges before the competent courts. Finally, she adds:
"That by taking the photos to ensure with certainty that no ticket or disc of
parking is not shown on the windshield of the vehicle, as the car is parked in a
place where parking is paid and / or in the blue zone on a date when the person concerned
must pay for this parking, the conclusive one does not violate the principle of minimization ”(page
14 of the conclusions of the first defendant).
Decision on the merits 81 / 2020- 22/45

87. The Contentious Chamber recalls that was it for the purpose of obtaining the necessary evidence
for a breach of a parking rule, the data controller is required to respect
all the obligations incumbent upon it under the GDPR throughout the duration of the
processing (collection, communication, storage, etc.) of personal data. It does not appear from
the primary competence of the Contentious Chamber to determine what evidence would be
sufficient and relevant to present to the competent courts. The fact remains that
as soon as this evidence constitutes personal data - including images
as in the present case - processed for the purposes of establishing the alleged facts, this data must be
relevant to the purpose pursued. Without finding a breach of the principle of
minimization in the case of the first defendant in this case, the Litigation Chamber invites
the latter to be attentive to the future and to sensitize its employees who make the findings on the
ground to act with discernment in this regard. The Litigation Chamber also recalls the principle
according to which personal data cannot be kept for a period not exceeding
that necessary with regard to the purposes for which they are processed (article 5.1 e) of the GDPR).
8.1.4. As for breaches of Articles 5.2. and 24 of the GDPR

88. Article 24.1 of the GDPR which covers Chapter IV of the GDPR devoted to the obligations of
data controllers (and subcontractors) and which reflects the principle set out in Article 5.2. of
RGPD, provides that "taking into account the nature, scope, context and purposes of the processing
as well as risks, of varying degrees of probability and severity, for the rights and freedoms of
natural persons, the controller implements the technical measures and
appropriate organizational structure to ensure and be able to demonstrate that the treatment is
carried out in accordance with these regulations. These measures are reviewed and updated if
necessary. "

89. Section 24.2. of the GDPR specifies that when this is proportionate to the activities of
treatment, the measures referred to in Article 24.1. of the above GDPR include the implementation
appropriate policies in data protection by the controller.

90. The Contentious Chamber is of the opinion, in view of what has been noted above in Headings 8.1.1.,
8.1.2. and 8.1.3. , which the first defendant was at the time of the facts failing to implement
the appropriate technical and organizational measures required by Articles 24.1 and 2 of the GDPR to
guarantee not only an effective exercise of the rights of data subjects such as the complainant -
in particular his right to information and his right of access - as well as respect for the principle of
minimization when consulting the DIV.
Decision on the merits 81 / 2020- 23/45

91. With regard more particularly to the rights of data subjects, the Chamber
Litigation insists on the fact that the municipal regulation, which certainly describes the succession of
interventions by the first and second defendant in the context of amicable recovery
parking fee, cannot by itself constitute an adequate measure within the meaning of Article
24 of the GDPR. It does not allow the first defendant or to ensure that the processing is carried out
in accordance with the GDPR nor to demonstrate it. The Litigation Chamber nevertheless takes note of the
commitments made by the first defendant to comply with its obligations in this regard (see.
infra title 9.1.).
8.1.5. Conclusion as to the breaches of the first defendant

92. In conclusion, the Contentious Chamber notes the following failings in the area of
the first defendant:
- a breach of its obligation to inform (article 14.1-2, combined with article 12.3 and 12.1.
of the GDPR)
- a breach of its obligation to follow up on the exercise of the complainant's right of access
within the legal period allotted to it to do so (Article 15.1 combined with Article 12.3. of
GDPR as well as Article 12.2. of the GDPR (obligation to facilitate the exercise of rights))
- a breach of the principle of minimization during the premature consultation of the IVD
(article 5.1 c) of the GDPR)
- a breach of its obligation to put in place technical measures and
adequate organizational requirements for the implementation of Articles 5.2 and 24. 1-2 of the GDPR.
8.2. As to the breaches on the part of the second defendant
8.2.1. As for the breach of the information obligation (Articles 12 and 14 of the GDPR)

93. The complainant criticizes the second defendant for not having informed her in accordance
to the requirements of Article 14 of the GDPR when it first comes into contact with it, or through the setting
formal notice that it sent to it on February 25, 2019 (point 7 above).

94. The second defendant considers that the exception provided for in Article 14.5. c) from
GDPR is applicable to it. In this regard, it relies on Article [...] of the municipal regulations of [...]
reproduced below9

:[……]

9 Note that in its formal notice of February 25, 2019, the second defendant refers to a settlement
communal (erroneous - see Title 7.2. above) only in these terms: "the possible recovery costs
amicably charged to the user are in accordance with article [...] of the municipal regulations of [...] of the
municipality of [...] relating to the parking fee ”.
Decision on the merits 81 / 2020- 24/45

95. The Litigation Chamber notes that under Article 14.5.c) of the GDPR, the person responsible
processing is exempt from its obligation to provide information when and to the extent that "obtaining
or the communication of information is expressly provided for by Union law or by law
of the Member State to which the controller is subject and which provides for measures
appropriate measures aimed at protecting the legitimate interests of the data subject '
10
.

96. The Contentious Chamber notes a language difference between the French version and, by
example, the Dutch and English versions of this provision. Indeed, while the version
French of Article 14.5.c) mentions "when and to the extent that the obtaining or the communication
information is expressly provided for by Union or Member State law ", the versions
Dutch and English respectively use the following terms: "wanneer en voor
zover het verkrijgen of verstrekken van de gegevens uitdrukkelijk is voorgeschreven bij Unierecht of
lidstaatelijk recht ”and“ where and insofar obtaining or disclosure is expressly laid down byUnion or
Member State law ”. The Litigation Chamber is of the opinion that it is the obtaining and the
communication of data which must be provided for by national law and notwithstanding the terms of
the French version of Article 14.5.c) of the GDPR.

97. The Contentious Chamber considers that the second defendant cannot rely on the
exemption from the information provided for in Article 14.5 c) of the GDPR in this case for the reasons described below.

98. What is provided for in Article 14.5. c) of the GDPR constitutes an exception to the right to informationormation.
Failing to be informed that data processing concerning him is carried out, the person
concerned is deprived of information which is in principle spontaneously provided to him by the manager
processing and which facilitates the exercise of its other rights of which it is also informed of
the existence and modalities of exercise (article 13.2 b), c) and d) and 14.2 c), d) and e) of the GDPR).

99. This exemption must be interpreted restrictively since it constitutes a
exception to the information obligation provided for by the fundamental right to data protection11 and
all the more so as it deprives, as already mentioned, the data subject of information about
the existence and the modalities of exercise of its other rights which are NOT subject
with the same exception "in the event of obtaining or communicating expressly provided for by law". As
for example, the right of access (Article 15 of the GDPR) - which in turn paves the way for the exercise of others

10 It is the Litigation Chamber that emphasizes.
11 The Contentious Chamber recalls the constant case law of the Court of Justice of the European Union which
interprets the exceptions to the fundamental right to data protection restrictively: see. by
example: C. Docksey and H. Hijmans, The Court of Justice as a Key Player in Privacy and Data Protection, EDPL
Review (2019), pp. 300-316, and the case-law cited (in particular, p. 309).
Decision on the merits 81 / 2020- 25/45
rights such as the right to rectification, opposition or even erasure in particular - do not know
this exception (article 15.4. of the GDPR).

100. The Litigation Chamber notes that in this case, as already noted, the municipal regulations
relied on by the second defendant describes the succession of interventions by the first and
second defendants in the management of the collection of parking fees (as well as
surcharges due in default / or in the event of late payment). In other words, the regulation
municipality on which the second defendant bases its exemption from information does not inform
to the data processing carried out in execution thereof. At most it allows us to deduce that
information will be exchanged between the first and the second respondent in the context
a violation of the parking rules in order to recover the fee due. We design
certainly that these interventions will induce the obtaining and communication of personal data. Those -
However, these are not expressly provided for, at most they can be implicitly deduced.

101. Moreover, this exception can only be invoked if appropriate guarantees aimed at
protect the legitimate interests of the persons concerned are provided for by said regulation. The
Litigation Chamber considers that in the present case, these guarantees must consist of a set
minimum information relating to data processing which must appear in the act
regulatory under which the communication of information takes place.

102. The Litigation Chamber is of the opinion that at a minimum, the following information -
inspired by Article 23.2. of the GDPR - should have been included: purpose of the processing, categories of data
of a personal nature processed, identity of the controller, retention period and a
reference to the rights of data subjects.

103. Those guarantees must admittedly be provided for by national law. The lack of guarantees
appropriate is certainly not attributable to the second defendant. The fact remains that at
under the GDPR, it is the data controller who is responsible for verifying whether he can legitimately
invoke the exception provided for in Article 14.5.c) of the GDPR. The Litigation Chamber recognizes that in
depending on the case and in particular the quality of the data controller, this examination may
not be easy, especially with regard to the existence of appropriate guarantees. However, in this case,
the municipal regulation that the second defendant relies on in support of its exemption does not deal with
data protection aspects, which left little room for doubt as to
whether he could legitimize a waiver of information. The legal framework for
the profession of bailiffs and the respect due to their ethical rules are not enough in themselves
to constitute appropriate guarantees in terms of data protection within the meaning of Article 14.5.c)
of the GDPR.
Decision on the merits 81 / 2020- 26/45

104. In conclusion, the Contentious Chamber finds that the second defendant, relying on
wrong on the exemption provided for in Article 14.5 c) of the GDPR (since the municipal regulation does not provide
not expressly obtaining and communicating data and in the absence of guarantees
appropriate otherwise) failed to fulfill its obligation to provide information, thus contravening Article 14.1-2
taken together with section 123. of the GDPR.

105. According to its conclusions, the second defendant indicates to the Contentious Chamber
What does it say "if the exception should not apply, she noted that the reference to her website
appearing in his letters of formal notice does not, at least at first glance, allow
to inform the persons concerned that they can obtain information directly on the website of the
conclusive ”(page 9 of the main conclusions of the second defendant). She proposes
to add to the reference appearing on its model a specific mention concerning the protection of life
privacy policy referring to its privacy information document available on its site.

106. The Contentious Chamber is indeed of the opinion that the mere mention of a website
on a letter - site on which a privacy statement can be viewed - does not constitute
not information that complies with the requirements of the GDPR. At a minimum, a “protection of
data ”containing the essential elements of the processing operations concerned and an explicit reference to the
privacy policy (relevant part if applicable) available on the site for the surplus must
To be scheduled. The Contentious Chamber reviews in this regard what it has indicated above with regard to
the “Privacy” clause of the first defendant (point 57 et seq.).

107. The Contentious Chamber also wishes to clarify the following. As part of his
argument, the second defendant concludes that the GDPR does not impose on the person responsible for
processing to communicate to the persons concerned the references of the supporting normative act
which he considers to be exempted from his obligation to inform. However, failing any
information in this regard, it is illusory to think that the persons concerned will seek (and
will find) the normative act in question containing the required guarantees and allowing them to
get informed. The Contentious Chamber considers that it would be, when this exemption from information can be
invoked (quod non in this case), it is good practice to communicate this reference.
8.2.2. As for the breach of the right of access (article 15 of the GDPR)

108. As the Contentious Chamber recalled above with regard to the obligations of
first defendant, the data subject has the right to obtain from the controller the
confirmation that personal data concerning him is or is not being processed and,
when they are, access to said personal data as well as the elements
information listed in letters a) to h) of Article 15.1. of the GDPR.
Decision on the merits 81 / 2020- 27/45

109. The complainant reports a fragmentary response to the request for the right of access that she has
addressed to the second defendant. She is of the opinion that she was not fully informed
relative to the source of the data.

110. The second defendant points out that on page 3 of its letter in reply of 2 April 2019,
she specified that she was mandated by the first defendant who had communicated to her the
complainant and file data.

111. Based on the documents produced, the Contentious Chamber is not in a position to conclude that
a breach of Article 15 of the GDPR on the part of the second defendant.
8.2.3. Regarding the breach of the principles of proportionality and illegal reuse of data
(Articles 5 and 6 of the RGPD) which are communicated to him by the first defendant then even
that it would not be validly founded

112. The Contentious Chamber notes that the Complainant considers that the second Respondent
performs illegal data processing when it collects and stores data relating to
his vehicle (photos of the windshield and general photo of the vehicle sent to him by the
first defendant). The Contentious Chamber refers in this regard to the considerations it has
set out in Title 8.1.3.3. above with regard to this complaint also criticized in the first
defendant.

113. The Contentious Chamber does not find any breach in the head of the second
defendant in this regard.
8.2.4. As for the payment request form and the obtaining of a forced consent (article
6.1 a) of the GDPR - article 5.1 c) of the GDPR)

114. On February 25, 2019, the Complainant was sent by the Second Respondent a warning
remains to pay the amount of the fee of […] euros ([…] +5) plus the summons costs
and a collection fee, bringing the amount claimed to the sum of […] euros (point 7 above).

115. A form was attached to this formal notice, entitled "Form to be returned to us"
printed in larger letters, framed and immediately followed by the following statement, in bold
underlined: "Only this duly completed form and its annexes will be taken into account for the
processing of your payment request or your dispute ”.

116. The following data are requested at the ends of this form: surname, first name, date of
birth, address, postal code and town, telephone number, mobile number, e-mail address.
Decision on the merits 81 / 2020- 28/45
Three choices in terms of payment proposals are also mentioned under which
the debtor
- (1) undertakes to pay the full amount on a date to be mentioned, or
- (2) request a clearance plan or
- (3) indicates that it is impossible to pay the amount.

117. As a preliminary point, the Contentious Chamber notes that the complainant denounces the use of this
form by the second defendant without it being established that she herself completed it. There is
therefore no, strictly speaking, "processing of personal data" by the complainant
via this form. Refusal to complete a form that turns out to be against the law (as it will be
demonstrated below), however, cannot result in a situation whereby the House
Litigation could not exercise the missions and powers conferred on it by Articles 57 and 58 of the
RGPD and the LCA with regard to a practice that involves data processing subject to the RGPD.
The contentious chamber is, therefore, irrespective of whether there is a breach
with regard to the complainant, empowered to examine this grievance against which the second respondent has
also had the opportunity to defend themselves.

118. The complainant considers that, given the wording of the form, its presentation,
its content and the fact that it constitutes an annex to a formal notice of payment, it cannot be
considered that the consent of the data subject to provide the data mentioned on this
form would be free. The complainant is also of the opinion that the collection of data via this form
ignored the principle of minimization.

119. The second defendant argues, on the contrary, that this form allows persons
concerned to voice their dispute or their wish to benefit from a clearance plan.
The second defendant adds that the purpose of the form is clearly stated in the setting
remains of which it constitutes an annex and that no obligation for the person concerned can
be deduced from this formulation. Therefore, it can legitimately rely on Article 6.1 (a) of the
GDPR to collect said data and carry out subsequent processing. The notice
states that consultation of the file and requests for online clearance and / or payment may
be done via the site or by e-mail and that additional information can be obtained via
the form.

120. As to the principle of minimization, the second defendant states that the form allows,
by offering the persons concerned various possibilities (postal address, telephone number
telephone, mobile phone number, e-mail address) to choose the mode of communication and
the contact data necessary for this purpose without there being any obligation to complete the form
Decision on the merits 81 / 2020- 29/45
(point 119 above), nor - in the event that the debtor wishes to make use of it - obligation to
provide data for each of the headings of said form.

121. The Contentious Chamber recalls that Article 4.11. of the GDPR defines the consent of the
person concerned as being "any manifestation of will, free
12
, specific, illuminated and
unambiguous by which the data subject accepts, by a declaration or by a clear positive act,
that personal data concerning him / her are processed. " The
consent on which data processing is based pursuant to Article 6.1. a) of the GDPR must
meet all the qualities required by this definition.

122. The adjective "free" implies choice and real control for those concerned. The
consent can only be valid if the data subject is genuinely able
to exercise a choice and if there is no risk of deception, intimidation, coercion or
significant negative consequences (e.g. significant additional costs) if it does not give
his consent. Consent will not be free when any element of coercion, pressure
or inability to exercise meaningful choice will be present. Consent will therefore not be
not considered to be freely given if the data subject is not able to refuse
or withdraw consent without suffering prejudice. The controller must also
demonstrate that it is possible to refuse or withdraw consent without suffering prejudice
(recital 42 of the GDPR) 13

123. When determining whether consent is freely given, it is therefore appropriate to
account of a possible imbalance in the balance of power between the person concerned and the manager
treatment. Recital 43 of the GDPR makes it clear that it is not likely that authorizations s of this form: surname, first name, date of
birth, address, postal code and town, telephone number, mobile number, e-mail address.
Decision on the merits 81 / 2020- 28/45
Three choices in terms of payment proposals are also mentioned under which
the debtor
- (1) undertakes to pay the full amount on a date to be mentioned, or
- (2) request a clearance plan or
- (3) indicates that it is impossible to pay the amount.

117. As a preliminary point, the Contentious Chamber notes that the complainant denounces the use of this
form by the second defendant without it being established that she herself completed it. There is
therefore no, strictly speaking, "processing of personal data" by the complainant
via this form. Refusal to complete a form that turns out to be against the law (as it will be
demonstrated below), however, cannot result in a situation whereby the House
Litigation could not exercise the missions and powers conferred on it by Articles 57 and 58 of the
RGPD and the LCA with regard to a practice that involves data processing subject to the RGPD.
The contentious chamber is, therefore, irrespective of whether there is a breach
with regard to the complainant, empowered to examine this grievance against which the second respondent has
also had the opportunity to defend themselves.

118. The complainant considers that, given the wording of the form, its presentation,
its content and the fact that it constitutes an annex to a formal notice of payment, it cannot be
considered that the consent of the data subject to provide the data mentioned on this
form would be free. The complainant is also of the opinion that the collection of data via this form
ignored the principle of minimization.

119. The second defendant argues, on the contrary, that this form allows persons
concerned to voice their dispute or their wish to benefit from a clearance plan.
The second defendant adds that the purpose of the form is clearly stated in the setting
remains of which it constitutes an annex and that no obligation for the person concerned can
be deduced from this formulation. Therefore, it can legitimately rely on Article 6.1 (a) of the
GDPR to collect said data and carry out subsequent processing. The notice
states that consultation of the file and requests for online clearance and / or payment may
be done via the site or by e-mail and that additional information can be obtained via
the form.

120. As to the principle of minimization, the second defendant states that the form allows,
by offering the persons concerned various possibilities (postal address, telephone number
telephone, mobile phone number, e-mail address) to choose the mode of communication and
the contact data necessary for this purpose without there being any obligation to complete the form
Decision on the merits 81 / 2020- 29/45
(point 119 above), nor - in the event that the debtor wishes to make use of it - obligation to
provide data for each of the headings of said form.

121. The Contentious Chamber recalls that Article 4.11. of the GDPR defines the consent of the
person concerned as being "any manifestation of will, free, specific, illuminated and
unambiguous by which the data subject accepts, by a declaration or by a clear positive act,
that personal data concerning him / her are processed. " The
consent on which data processing is based pursuant to Article 6.1. a) of the GDPR must
meet all the qualities required by this definition.

122. The adjective "free" implies choice and real control for those concerned. The
consent can only be valid if the data subject is genuinely able
to exercise a choice and if there is no risk of deception, intimidation, coercion or
significant negative consequences (e.g. significant additional costs) if it does not give
his consent. Consent will not be free when any element of coercion, pressure
or inability to exercise meaningful choice will be present. Consent will therefore not be
not considered to be freely given if the data subject is not able to refuse
or withdraw consent without suffering prejudice. The controller must also
demonstrate that it is possible to refuse or withdraw consent without suffering prejudice
(recital 42 of the GDPR) 13

123. When determining whether consent is freely given, it is therefore appropriate to
account of a possible imbalance in the balance of power between the person concerned and the manager
treatment. Recital 43 of the GDPR makes it clear that it is not likely that authorizations Similarly, the Litigation Chamber recalls that to be valid, consent must
also be enlightened. For consent to be considered informed, it is necessary that the
controller provides certain information to the data subject, in a form
understandable and easily accessible. Recital 42 of the GDPR requires that the data subject
have, at a minimum, knowledge of the identity of the controller and of the purposes of the processing
for whom this personal data is intended.

131. The Contentious Chamber considers that other elements are also crucial for the
data subject can make an informed decision and that their consent is valid.
The controller should provide information on the type of data concerned
by the proposed processing, on the existence of a right to withdraw consent (art. 7.3 of the GDPR),
on the possible use of data for automated decision-making (art. 22.2 c) of the GDPR)
and, where applicable, on the risks associated with the transfer of data to a country that does not offer protection
adequate and in the absence of appropriate guarantees (art. 49.1 a) of the GDPR) 15
.
132. The Contentious Chamber is of the opinion that, whatever the legal basis on which the
second defendant intends to rely in the future, the formal notice should include a
information in the form of a specific clause containing both the elements required for a
informed consent where applicable, and succinct information directly useful with regard to the
processing (s) concerned (point 106 above).

14 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
Regulation (EU) 2016/679 (points 121-123):
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf
15 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
Regulation 2016/679 (point 3.3. pp. 17 et seq. of the French version):
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf
Decision on the merits 81 / 2020- 32/45
133. With regard to compliance with the principle of minimization (article 5.1 c) of the GDPR), the Chamber
Litigation also notes that with regard to the various data requested under "Your
contact details ", no asterisk or other indication indicates that the data subject is free to
choose one of the communication modes (telephone number, GSM number, e-mail address) and
that certain data are therefore optional. Taken in isolation, these data appear relevant
and not excessive, but here too, the presentation and wording used suggest that there is no
no alternative to collecting all the information regarding each section of the table.

134. The Litigation Chamber therefore concludes that there has been a breach of Article 5.1 c) of the GDPR in
the head of the second defendant.
8.2.5. With regard to compliance with Articles 5.2. and 24 of the GDPR

135. In support of the breaches identified above (8.2.1. And 8.2.4.), The Litigation Chamber is
of opinion that the second defendant is in default of having implemented the technical measures and
appropriate organizational structure to ensure and be able to demonstrate that
data that it processes are, in particular taking into account their nature, the context and
purposes they pursue, carried out in accordance with the GDPR.

136. The Contentious Chamber therefore concludes that there has been a breach of Articles 5.2. and 24. 1-2 of
GDPR in respect of the second defendant.
8.2.6. Conclusion as to the breaches of the second defendant

137. In conclusion, the following shortcomings are noted with regard to the second
defendant:
- a breach of its information obligation (article 14.1-2, combined with article 12.3. of
GDPR)
- a lack of legal basis with regard to the collection of data under the form
accompanying the formal notice of payment (article 6 of the GDPR) and a breach of
principle of minimization (article 5.1 c) of the GDPR) given the excessive nature of
requested data.
- a breach of Articles 5.2. and 24. 1-2 of the GDPR.
9. Regarding corrective measures and sanctions
138. Under article 100 LCA, the Litigation Chamber has the power to:
1 ° dismiss the complaint;
Decision on the merits 81 / 2020- 33/45
2 ° order the dismissal;
3 ° pronounce a suspension of the pronouncement;
4 ° propose a transaction;
5 ° issue warnings or reprimands;
6 ° order compliance with the requests of the person concerned to exercise these rights;
7 ° order that the person concerned be informed of the security problem;
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;
9 ° order that the processing be brought into conformity;
10 ° order the rectification, restriction or erasure of data and the notification Similarly, the Litigation Chamber recalls that to be valid, consent must
also be enlightened. For consent to be considered informed, it is necessary that the
controller provides certain information to the data subject, in a form
understandable and easily accessible. Recital 42 of the GDPR requires that the data subject
have, at a minimum, knowledge of the identity of the controller and of the purposes of the processing
for whom this personal data is intended.

131. The Contentious Chamber considers that other elements are also crucial for the
data subject can make an informed decision and that their consent is valid.
The controller should provide information on the type of data concerned
by the proposed processing, on the existence of a right to withdraw consent (art. 7.3 of the GDPR),
on the possible use of data for automated decision-making (art. 22.2 c) of the GDPR)
and, where applicable, on the risks associated with the transfer of data to a country that does not offer protection
adequate and in the absence of appropriate guarantees (art. 49.1 a) of the GDPR) 15
.
132. The Contentious Chamber is of the opinion that, whatever the legal basis on which the
second defendant intends to rely in the future, the formal notice should include a
information in the form of a specific clause containing both the elements required for a
informed consent where applicable, and succinct information directly useful with regard to the
processing (s) concerned (point 106 above).

14 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
Regulation (EU) 2016/679 (points 121-123):
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf
15 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
Regulation 2016/679 (point 3.3. pp. 17 et seq. of the French version):
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf
Decision on the merits 81 / 2020- 32/45
133. With regard to compliance with the principle of minimization (article 5.1 c) of the GDPR), the Chamber
Litigation also notes that with regard to the various data requested under "Your
contact details ", no asterisk or other indication indicates that the data subject is free to
choose one of the communication modes (telephone number, GSM number, e-mail address) and
that certain data are therefore optional. Taken in isolation, these data appear relevant
and not excessive, but here too, the presentation and wording used suggest that there is no
no alternative to collecting all the information regarding each section of the table.
134. The Litigation Chamber therefore concludes that there has been a breach of Article 5.1 c) of the GDPR in
the head of the second defendant.
8.2.5. With regard to compliance with Articles 5.2. and 24 of the GDPR

135. In support of the breaches identified above (8.2.1. And 8.2.4.), The Litigation Chamber is
of opinion that the second defendant is in default of having implemented the technical measures and
appropriate organizational structure to ensure and be able to demonstrate that
data that it processes are, in particular taking into account their nature, the context and
purposes they pursue, carried out in accordance with the GDPR.

136. The Contentious Chamber therefore concludes that there has been a breach of Articles 5.2. and 24. 1-2 of
GDPR in respect of the second defendant.
8.2.6. Conclusion as to the breaches of the second defendant

137. In conclusion, the following shortcomings are noted with regard to the second
defendant:
- a breach of its information obligation (article 14.1-2, combined with article 12.3. of
GDPR)
- a lack of legal basis with regard to the collection of data under the form
accompanying the formal notice of payment (article 6 of the GDPR) and a breach of
principle of minimization (article 5.1 c) of the GDPR) given the excessive nature of
requested data.
- a breach of Articles 5.2. and 24. 1-2 of the GDPR.
9. Regarding corrective measures and sanctions
138. Under article 100 LCA, the Litigation Chamber has the power to:
1 ° dismiss the complaint;
Decision on the merits 81 / 2020- 33/45
2 ° order the dismissal;
3 ° pronounce a suspension of the pronouncement;
4 ° propose a transaction;
5 ° issue warnings or reprimands;
6 ° order compliance with the requests of the person concerned to exercise these rights;
7 ° order that the person concerned be informed of the security problem;
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;
9 ° order that the processing be brought into conformity;
10 ° order the rectification, restriction or erasure of data and the notification e or such corrective measure or sanction. If, notwithstanding the above, the complainant
had nevertheless to ask the Litigation Chamber to pronounce one or the other measure
and / or sanction, it is therefore not up to the latter to justify why it would not retain
not one or the other request made by the complainant. These considerations leave intact
the obligation for the Litigation Chamber to justify the choice of measures and sanctions to which
it judges, (among the list of measures and sanctions made available to it by Articles 58 of
GDPR and 95.1 and 100.1 LCA) appropriate to condemn the party in question.
144. In the present case, the Contentious Chamber notes that the complainant seeks in particular
Litigation Chamber that it order compliance under penalty of penalty. Without
prejudice to the above, but since it has just published its policy in this regard, the
Litigation Chamber refers on this point to the publication now available on its website
Internet17
.
145. With regard to the administrative fine, the Contentious Chamber emphasizes that its aim is
to effectively enforce the rules of the GDPR. Other measures, such as the order of
compliance or the prohibition to continue certain treatments, for example, allow
they put an end to a breach found. As can be seen from recital 148 of the GDPR,
sanctions, including administrative fines, are imposed in the event of serious violations,
in addition to or in place of the appropriate measures that are required. Therefore, the fine
administrative can certainly come to sanction a serious breach to which it would have been
remedied during the proceedings or which would be about to be remedied. The fact remains that
the Litigation Chamber will take into account what has been terminated or what is in progress
to remedy the said breaches in setting the amount of the fine.
9.1. As to the first defendant
146. The Contentious Chamber noted a breach of Articles 14. 1-2 combined with Article
12.1 and 12.3, 15.1 combined with Article 12.3 and Article 12.2., 5.1 c) and 5.2. 24. 1-2 of the GDPR (point 92
above).

17 See. on the APD website, Section Authority - Organization - Litigation Chamber:
https://www.autoriteprotectiondonnees.be/citoyen/l-autorite/ organizations and
https://www.autoriteprotectiondonnees.be/professionnel/l-autorite/ organizations
Decision on the merits 81 / 2020- 36/45

147. In view of the observation of these breaches, the Contentious Chamber addresses to the first
defendant a reprimand on the basis of Article 100. 1, 5 ° LCA.

148. The Contentious Chamber further notes that the first defendant has, without
await the decision of the Litigation Chamber, upon its conclusions and during the hearing, taken a
a number of commitments to remedy the shortcomings identified by the Inspector General in
his report. The Litigation Chamber is of the opinion that a number of changes and measures
must in fact, as quickly as possible, be brought by the first defendant to
comply with its obligations under the GDPR. The Litigation Chamber therefore
imposes a detailed compliance order for the device in application of article 100. 1, 9 ° LCA
(see in this regard the clarification in point 141 above).

149. In addition to this reprimand18 and this order for compliance, the Contentious Chamber is
of the opinion that in addition, an administrative fine is justified in this case for the following reasons.

150. As to the nature of the violation, the Contentious Chamber notes that with regard to the
breach of Article 5.1 c) of the GDPR, it constitutes a breach of one of the principles
founders of the GDPR (and of data protection law in general), or the principle of
minimization devoted to Chapter II "Principles" of the GDPR.

151. As regards the breaches of Article 14. 1-2 combined with Articles 12.3 and 12.1 of the GDPR, in Article
15. 1 of the GDPR (combined with Article 12.3 and Article 12.2. Of the GDPR), they constitute breaches
the rights of data subjects. These information and access rights have also been strengthened
under the GDPR, which shows their particular importance. The Protection Authority
in this perspective, has made compliance with them a priority in its plan.
strategy 2020-2025.19 The appropriate corrective measure / sanction is nonetheless determined
case by case.

152. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a
breach of the key principle of accountability, introduced by the GDPR.

18 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning
is intended to notify a controller or a processor that the trafficking operations is lying
envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article
100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a
processor when the processing operations have resulted in a violation of the provisions of the GDPR (article
58.2 b) of the GDPR and article 100.1, 5 ° LCA).
19 Data Protection Authority (DPA), Strategic Plan 2020-2025:
https://www.autoriteprotectiondonnees.be/publications/plan-strategique-2020-2025.pdf
Decision on the merits 81 / 2020- 37/45

153. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may
amount to 20,000,000 euros or in the case of a company, up to 4% of turnover
global annual total for the previous financial year. The maximum fine amounts that can be applied
in case of violation of these provisions are higher than those provided for other types of
breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right,
devoted to Article 8 of the Charter of Fundamental Rights of the European Union, the appreciation of
their gravity will be, as the Litigation Chamber has already had the opportunity to point out, in support of
Article 83.2.a) of the GDPR, autonomously20
.
154 It has already been noted that in the context of the inspection, the letters in response to
the Inspector General were signed by the group [...]. At the hearing on July 13, 2020, the first
defendant confirmed to be part of this group.

155 In determining the amount of the fine, the Contentious Chamber takes into account the
concept of company (article 83.5 of the GDPR). The Litigation Chamber also takes into account
the opinion of the European Data Protection Committee, of which it particularly retains this
following:
"In order to impose effective, proportionate and dissuasive fines, the supervisory authorities
will rely on the definition of the concept of enterprise provided by the CJEU for the purposes of
the application of Articles 101 and 102 of the TFEU, namely that the concept of company must
be understood as an economic unit that can be formed by the parent company and all
the subsidiaries concerned. In accordance with Union law and case law, it is necessary
to understand by enterprise the economic unit engaged in commercial activities or
economic, regardless of the legal person involved (recital 150). "
21

156. As to the number of persons concerned affected by the violations, the Chamber
Litigation notes that the breaches noted concern, beyond the sole complainant, a
large number of people. The first defendant is the holder of concessions of
parking in […] municipalities. The shortcomings observed are part of the practice
of the first defendant and are consecutive to the failure to set up

20 See in this regard, decision 64/2020 of the Contentious Chamber (point 54):
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-64-2020.pdf
21 European Data Protection Board, Guidelines on the application and setting of fines
Administrative Rules for the purposes of Regulation (EU) 2016/679, WP 253, adopted on 3 October 2017, p. 6, available at
www.edpb.europa.eu. See also, decision 37/2020 of the Contentious Chamber.
Decision on the merits 81 / 2020- 38/45
effective procedures for exercising rights in particular. The number of people concerned is therefore
Student.

157. As to the status of the first defendant, the Contentious Chamber recalls that in
previous decisions22, it has already retained the status of public representative of the head of
treatment as an aggravating factor within the meaning of Article 83.2. k) of the GDPR. Without constituting a
public representative in the strict sense of the term, the first defendant in office no less
public competence which has been entrusted to it by concession. As such, it must adopt a
exemplary attitude. The "infringement" context in which the processing takes place
of data that it processes requires, in view of their purpose, also particular respect
rigorous rights of the persons concerned. Data processing is also a
substantial part of the activity of the first defendant.

158. As to the duration criterion, the Litigation Chamber notes that these breaches lasted
in time (Article 83.1 a) of the GDPR), at least since May 25, 2018, except for what is
the breach of Article 5.1 c) of the GDPR more limited in time.

159. As to the question of whether the breaches were committed willfully or not (para
negligence) (art. 83.2.b) of the GDPR), the Litigation Chamber recalls that "not deliberately" means
that there was no intention to commit the violation, although the controller t or the
subcontractor has not complied with its duty of care under the law. In
In the present case, the Litigation Chamber is of the opinion that the facts and the shortcomings noted - were they
serious - do not reflect a deliberate intention to violate the GDPR in the first instance
defendant.

160. The Contentious Chamber finally notes that the first defendant cooperated with the APD
throughout the procedure (Article 83.2. f) of the GDPR), in particular with the Inspectorate, and admits that
the management of the complainant's case requires her to make substantial improvements to her
current functioning with regard to the rights of data subjects. The first defendant has,
as already underlined, moreover made a certain number of commitments to comply with this
respect23
.

22 See decision 10/2019 of the Contentious Chamber (page 12)
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-10-2019.pdf as well as its
decision 11/2019 (page 10) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n11-2019.pdf
23 As for information, the first defendant makes a number of commitments vis-à-vis the ODA,
the terms of which are reproduced below (points 42 to 45 of the conclusions of the first defendant):
42. The conclusive woman realized that the information provided was not sufficient with regard to
obligations incumbent upon him. The conclusive therefore undertakes to provide the Protection Authority with
Decision on the merits 81 / 2020- 39/45

161. The Contentious Chamber notes that the other criteria of Article 83.2. of the GDPR are not
neither relevant nor likely to influence its decision on the imposition of an administrative fine
and its amount.

162. In conclusion, in view of the elements developed above specific to this case, the
Litigation Chamber considers that the facts noted and the breach of Articles 14.1-2 combined
in Article 12.1 and 12.3, 15.1 combined with Article 12.3 and 12.2., 5.1 c) and 5.2. and 24.1-2 of the GDPR, justify
as an effective, proportionate and dissuasive sanction as provided for in Article 83 of the GDPR
and taking into account the assessment factors listed in Article 83.2. GDPR and the reaction of the
first defendant to the proposed fine form, a reprimand (article 100.1, 5 ° LCA) and
a compliance order detailed below (article 100.1, 9 ° LCA) accompanied by a fine
administrative costs in the amount of 50,000 euros (article 100.1, 13 ° and 101 LCA) are pronounced at
against the first defendant.

163. In fixing this amount, the Litigation Chamber took into account that the first
defendant is part of the group [...], of the annual turnover of this group and of the financial base
of the last. It also took into account the information given by the first defendant
in its reaction to the proposed fine form according to which the group is experiencing a clear
decrease in revenues in the current context of the covid-19 virus pandemic.

164. With regard to these elements, the amount of 50,000 euros remains proportionate to the
breaches denounced. The Litigation Chamber is of the opinion that an amount of fine less than
50,000 euros would not meet, in this case, the criteria required by Article 83.1. of the GDPR according to
which the administrative fine must be effective, proportionate and dissuasive. In his decision
01/2020 of 9 November 2020, the European Data Protection Board insists in this regard

Data, as soon as possible, an information document that will meet the requirements of Article 14
of the GDPR and which will appear on its website (Exhibit 41).
43. In addition, the conclusive one will ensure that this notice allows easy access to the information
relating to data protection by creating an explanatory note which will be located in a single place
on its website.1
44. In addition, the conclusive one will put in place a clear reference on the invitation to pay to ensure
that data subjects understand directly that all information is accessible
on its website. In addition, the conclusive one will review, again, as soon as possible, the content
of the privacy message at the bottom of their reminder letter.
45. Finally, the conclusive undertakes to redo audit its entire website in order to set up
all the documentation, details and references in the necessary forms so that the
people concerned can easily access complete information.
Decision on the merits 81 / 2020- 40/45
on the fact that the height of the amount of the fine contributes to the effectiveness, proportion and
deterrent to the fine24
.
9.2. As for the second defendant

165. The Contentious Chamber found a breach of article 14.1-2 combined with article
12.3, section 6, section 5.1 c) and sections 5.2. and 24. 1-2 of the GDPR in the case of the second
defendant (paragraph 137 above).

166. In view of these shortcomings, the Litigation Chamber addresses the second
defendant a reprimand on the basis of Article 100. 1, 5 ° LCA.

167. The Contentious Chamber also takes note of the fact that the second defendant is,
in terms of its findings and at the hearing, proposed to make certain changes in
his practice. The Litigation Chamber is in fact of the opinion that a number of modifications and
measures must in fact, as quickly as possible, be brought by the second defendant
to comply with its obligations under the GDPR. Therefore, the Chamber
Litigation imposes a detailed compliance order on the device pursuant to article
100. 1, 9 ° LCA (see in this regard the clarification in point 141 above).

168. In addition to this reprimand25 and this order for compliance, the Contentious Chamber is
of the opinion that in addition, an administrative fine is justified in this case for the following reasons.

169. As to the nature of the violation, the Contentious Chamber notes that with regard to the
breach of Article 6 of the GDPR (lack of legal basis - forced consent) and Article 5.1 c)

24 European Data Protection Board, Decision 01/2020 on the dispute arisen on the draft decision
of the Irish Supervisory Authority regarding Twitter International Company under Article 65 (1) (a) GDPR
(only available in English)

See. § 199: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf
“199 Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and
therefore does not fulfill its purpose as a corrective measure, in particular it does not meet the
requirements ofArticle83 (1) GDPR of being effective, dissuasive and proportionate. ”
Free translation by the ODA Secretariat:
"199. Consequently, the EDPS considers that the amount of the fine proposed under the draft
decision-making process is too weak and, for this reason, does not fulfill its role as a corrective measure. In particular,
this amount does not meet the requirements of section 83.1. of the GDPR according to which the fine must be
effective, proportionate and dissuasive ”.
25 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning
is intended to notify a controller or processor that the processing operations
envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article
100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a
processor when the processing operations have resulted in a violation of the provisions of the GDPR (article
58.2 b) of the GDPR and article 100.1, 5 ° LCA).
Decision on the merits 81 / 2020- 41/45
of the GDPR, they constitute breaches of the founding principles of the GDPR (and of
data protection in general), or the principles of lawfulness and minimization devoted to
Chapter II “Principles” of the GDPR. While the data collected at the end of the form are
mainly identification data and do not constitute sensitive data within the meaning of
Articles 9 and 10 of the GDPR. However, they are processed, as will be mentioned in point 176.
below, in an “infringement” context. The Litigation Chamber will take this
double consideration.

170. As for the breach of article 14.1-2 combined with article 12.3 of the GDPR, it constitutes a
infringement of the rights of data subjects - notwithstanding the existence of a confidentiality policy
moreover, which the Contentious Chamber is aware of and which it takes into account (paragraph 179). The
right to information has been strengthened under the GDPR, demonstrating its importance
particular. In this perspective, the Data Protection Authority has ensured respect for the rights
of the people concerned as a priority in its 2020-2025 strategic plan26. Measurement
However, the appropriate corrective / sanction is determined on a case-by-case basis.

171. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a
breach of the key principle of accountability, introduced by the GDPR.

172. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may
amount to 20,000,000 euros or in the case of a company, up to 4% of turnover
global annual total for the previous financial year. The maximum fine amounts that can be applied
in case of violation of these provisions are higher than those provided for other types of
breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right,
enshrined in Article 8 of the Charter of Fundamental Rights of 5.2. and 24. 1-2 of the GDPR in the case of the second
defendant (paragraph 137 above).
166. In view of these shortcomings, the Litigation Chamber addresses the second
defendant a reprimand on the basis of Article 100. 1, 5 ° LCA.
167. The Contentious Chamber also takes note of the fact that the second defendant is,
in terms of its findings and at the hearing, proposed to make certain changes in
his practice. The Litigation Chamber is in fact of the opinion that a number of modifications and
measures must in fact, as quickly as possible, be brought by the second defendant
to comply with its obligations under the GDPR. Therefore, the Chamber
Litigation imposes a detailed compliance order on the device pursuant to article
100. 1, 9 ° LCA (see in this regard the clarification in point 141 above).
168. In addition to this reprimand25 and this order for compliance, the Contentious Chamber is
of the opinion that in addition, an administrative fine is justified in this case for the following reasons.
169. As to the nature of the violation, the Contentious Chamber notes that with regard to the
breach of Article 6 of the GDPR (lack of legal basis - forced consent) and Article 5.1 c)

24 European Data Protection Board, Decision 01/2020 on the dispute arisen on the draft decision
of the Irish Supervisory Authority regarding Twitter International Company under Article 65 (1) (a) GDPR
(only available in English)
See. § 199: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf
“199 Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and
therefore does not fulfill its purpose as a corrective measure, in particular it does not meet the
requirements ofArticle83 (1) GDPR of being effective, dissuasive and proportionate. ”
Free translation by the ODA Secretariat:
"199. Consequently, the EDPS considers that the amount of the fine proposed under the draft
decision-making process is too weak and, for this reason, does not fulfill its role as a corrective measure. In particular,
this amount does not meet the requirements of section 83.1. of the GDPR according to which the fine must be
effective, proportionate and dissuasive ”.
25 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning
is intended to notify a controller or processor that the processing operations
envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article
100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a
processor when the processing operations have resulted in a violation of the provisions of the GDPR (article
58.2 b) of the GDPR and article 100.1, 5 ° LCA).
Decision on the merits 81 / 2020- 41/45
of the GDPR, they constitute breaches of the founding principles of the GDPR (and of
data protection in general), or the principles of lawfulness and minimization devoted to
Chapter II “Principles” of the GDPR. While the data collected at the end of the form are
mainly identification data and do not constitute sensitive data within the meaning of
Articles 9 and 10 of the GDPR. However, they are processed, as will be mentioned in point 176.
below, in an “infringement” context. The Litigation Chamber will take this
double consideration.

170. As for the breach of article 14.1-2 combined with article 12.3 of the GDPR, it constitutes a
infringement of the rights of data subjects - notwithstanding the existence of a confidentiality policy
moreover, which the Contentious Chamber is aware of and which it takes into account (paragraph 179). The
right to information has been strengthened under the GDPR, demonstrating its importance
particular. In this perspective, the Data Protection Authority has ensured respect for the rights
of the people concerned as a priority in its 2020-2025 strategic plan26. Measurement
However, the appropriate corrective / sanction is determined on a case-by-case basis.

171. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a
breach of the key principle of accountability, introduced by the GDPR.

172. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may
amount to 20,000,000 euros or in the case of a company, up to 4% of turnover
global annual total for the previous financial year. The maximum fine amounts that can be applied
in case of violation of these provisions are higher than those provided for other types of
breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right,
enshrined in Article 8 of the Charter of Fundamental Rights of ontentieuse notes that the other criteria of Article 83.2. of the GDPR are not
neither relevant nor likely to influence its decision on the imposition of an administrative fine
and its amount.

181. In conclusion, in view of the elements developed above specific to this case, the
Litigation Chamber considers that the facts noted and the breach of Article 14.1-2 combined with
Section 12.3, Section 6, Section 5.1 (c) and Section 5.2. and 24. 1-2 of the GDPR, justify that under
effective, proportionate and dissuasive sanction as provided for in Article 83 of the GDPR and account
taking into account the assessment factors listed in Article 83.2. GDPR and the reaction of the second
defendant to the proposed fine form, a reprimand (article 100.1, 5 ° LCA) and an order
of compliance detailed below (article 100.1, 9 ° LCA) accompanied by an administrative fine
in an amount of 15,000 euros (article 100.1, 13 ° and 101 LCA) are pronounced against the
second defendant.
10. As for transparency

182. In view of the importance of transparency in the decision-making process
and the decisions of the Litigation Chamber, this decision will be published on the website of the APD
by deleting the direct identification data of the parties and persons mentioned,
whether they are physical or legal.

183. The Litigation Chamber is aware that the complainant requested the publication by name
of this decision. The contentious chamber is of the opinion that it is not for the complainant to request
such measure. In this case, the Litigation Chamber does not care less to clarify than in the context
of the wide margin of appreciation on the application of Article 100.1, 16 LCA which is its own, it decides
not to publish this decision mentioning the data controllers involved.

Decision on the merits 81 / 2020- 44/45
When it decided to publish its decisions stating the identity of the defendant, the
Litigation Chamber justified its decision by the fact that this advertisement would guarantee
rapid compliance, would help reduce the risk of reoccurrence and aim to educate the public
taking into account the data controller involved. In addition, any pseudonymization of the name
of the defendant would have been in these few cases illusory29. She doesn't think it necessary to do it
in this case.

FOR THESE REASONS
THE LITIGATION CHAMBER
After deliberating, decides to:
 With regard to the first defendant
- Issue a reprimand against the defendant on the basis of article 100.1, 5 °
LCA;
- Issue an order of compliance in terms of the implementation of rights
information and access for the persons concerned, on the basis of Article 100.1, 9 ° LCA.
To this end, the first defendant is requested to communicate to the APD both its
confidentiality policy applicable to the processing operations covered by this decision that his / her
information clause (s) as well as the procedure put in place to respond to the exercise of
permission to access. This production of documents must take place within 3 months from
of the notification of this decision via the address litigationchamber@apd-gba.be
- Impose an administrative fine against the defendant in the amount of 50,000
euros in application of articles 100.1, 13 ° and 101 LCA.
 With regard to the second defendant:
- Issue a reprimand against the defendant on the basis of article 100.1, 5 °
LCA;
- Issue a compliance order in terms of information (confidentiality policy
and information clauses) and basic legality of the form attached to the formal notices of

29 See decision 37/2020 of the Contentious Chamber (point 183):
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-37-2020.pdf
Decision on the merits 81 / 2020- 45/45
payment and this, on the basis of article 100.1, 9 ° LCA. For this purpose, the second
the defendant to communicate to the DPA both its confidentiality policy applicable to
processing covered by this decision that its information clause (s) as well as the
manner in which it intends to respond to the shortcomings related to the aforementioned form. The
communication of these documents must take place within 3 months from the date of
notification of this decision via the address litigationchamber@apd-gba.be
- Impose an administrative fine against the defendant in the amount of 15,000
euros in application of articles 100.1, 13 ° and 101 LCA.

Under Article 108.1 LCA, this decision may be appealed to the Court of
contracts (Brussels Court of Appeal) within 30 days of notification, with
the Data Protection Authority as respondent.
(Sé.)
Hielke hijmans
President of the Litigation Chamber